The growing importance of adequately protecting computer resources is constantly highlighted by an ever-increasing number of high profile IT security incidents appearing in the media.
Properly conducted penetration testing can identify vulnerabilities in networked infrastructures and provide recommendations, which when implemented can mitigate or eliminate the vulnerabilities. If undertaken in a timely manner this can reduce the risk of unauthorized access.
According to the Department of Trade and Industry's (DTI) Information Security Breaches Survey 2002 (www.security-survey.gov.uk), 44 percent of U.K. businesses suffered at least one security incident in the past year. The report also shows that during this time, U.K. businesses incurred billons of pounds in financial losses due to security breaches. Major contributors to these losses were virus infections, data corruption, unauthorized access to confidential data and the compromising of web sites. Approximately 4 percent of businesses surveyed in the DTI report suffered costs of more than £500,000 (around $284,000) following a single incident. The report also highlights a "Top Ten Actions for the Board." Included in these actions is the need to test compliance with security policies through security audits and penetration testing.
Despite the bursting of the dot.com bubble many organizations are placing increased dependence on Internet applications to provide business functionality to customers, suppliers and staff. The impact of this is that the identification of a traditional external security perimeter, has, for large organizations in particular, become a challenge. As a result organizations can no longer rely upon the protection of a single external point of connection to potentially hostile networks. This creates the need for security 'in depth' which in turn requires organizations to protect their data at the operating, system, database and application level, as well as the network level.
Security penetration testing needs to reflect this changing environment, as the old adage of only being as strong as your weakest link continues to hold true. The remainder of this article outlines the different types of penetration testing that may be performed to accurately assess real threats. It also identifies some of the key characteristics that organizations should consider when undertaking or commissioning penetration testing.
Network penetration testing can be performed internally or externally. External testing comes from beyond the organization's control, e.g. the Internet. Internal testing is performed from points within an organization's own network(s). In both cases, penetration testing is used to identify vulnerabilities in the configuration and controls of network services and the underlying infrastructure.
The increasing number of transactional web sites and web-enabled applications has fuelled the need for application penetration testing to supplement network based testing. The primary reason is that the opportunities to exploit security vulnerabilities at the application level has grown significantly as the functionality offered by web-enabled applications has increased.
Application penetration testing involves the examination of the composition and implementation of networked applications and their associated communication methods (which usually exist on top of the network protocols and infrastructure normally tested during network penetration testing). For example, an online banking application may consist of active server pages passed from a bank's server using HTTP, which all exist on a Windows 2000 server using the TCP/IP network protocol.
Application penetration testing requires additional skill sets to those needed for conducting a network penetration test. An understanding of operating systems and networking protocols is essential, as with network penetration testing, but application penetration testing also requires a good understanding of programming techniques and cryptography.
Whichever type of penetration test is performed, the same approach should be applied. Prior to engaging in a penetration testing assignment, the threats and risks of greatest concern need to be agreed to ensure that the testing is realistic and effective. For example, the ability for one customer to access details of another customer's details would be a great concern to a bank, as such a failing in integrity could cause significant damage to its reputation.
A properly performed penetration test will not only identify the individual vulnerabilities of a particular environment, but will also provide an indication of any root causes. The root causes of insecure network environments are often less technically focused than the individual vulnerabilities and fixes themselves. While it is important to understand how to identify and address individual issues, it is equally important to understand why an environment has become insecure in the first place. Addressing the root causes can help prevent the introduction of individual vulnerabilities before they are implemented, or from reoccurring. For example, the improvement of change control procedures could prevent the implementation of a software patch that could cause another software component to become vulnerable when the patch is applied.
Penetration testing results give a snapshot representation of an environment at the time of testing. Configurations, release versions, patch levels and known vulnerabilities evolve continuously, which means that for a penetration testing strategy to work effectively, testing needs to be repeated regularly to ensure that security holes do not open up as factors affecting the environment shift or change. A professionally executed penetration test is one efficient and cost-effective way to identify security exposures. However, performing any penetration test requires a proven methodology to ensure that organizations receive the maximum benefits of realistic testing, while managing the risk of potentially destructive techniques and methods used to maximize the accuracy and validity of testing. This is especially relevant when testing 'live' environments where there is a fine balance between realistic testing and negatively impacting an organization's business systems.
Since the last DTI Information Security Breaches Survey in 2000, the proportion of businesses taking on external testing has remained the same. However, with more businesses taking notice of the importance of prevention rather than cure this proportion is likely to increase over the years. Penetration testing provides a unique measure of the security of a networked environment from a realistic end-to-end perspective, which cannot be achieved to the same degree with other forms of testing such as system configuration reviews or audits. These other types of testing can be used to complement penetration testing, but performed separately, only give a reflection of the security of isolated components of an environment as opposed to an indication of the real-life risks, which is possible with penetration testing.
Simon Waring is part of PricewaterhouseCoopers Global IT Security Practice and is based in London. He can be contacted at [email protected].